Analysis: How data breaches affect stock market share prices

Data breaches stain the reputations of modern-day companies both big and small. They instill doubt and reduce trust in consumers, and sometimes the consequences can affect customers for years to come. A data breach can harm both public sentiment and a company’s competitive edge in the market. Staff get fired, executives are replaced, and entire systems are overhauled to ensure that it doesn’t happen again.

But what about investors? How does Wall Street react to a data breach? This is the question we set out to answer.

We analyzed the closing share prices of 24 companies, most of them listed on the New York Stock Exchange, starting the day prior to the public disclosure of their respective data breaches. Included are many of the largest data breaches in history; all of them resulted in at least 1 million records leaked, and some surpassed 100 million.

Some of our key findings include:

Stocks on average suffer an immediate decrease in share price following a breach of 0.43%, about equal to their average daily volatility

In the long term, share prices continue to rise on average, but at a much slower pace. We saw a 45.6% increase in share price during three years prior to breach, and only 14.8% growth in the three years after. Daily volatility was about the same for both periods.

Breached companies tend to underperform the NASDAQ. They recover to the index’s performance level after 38 days on average, but after three years the NASDAQ ultimately outperforms them by a margin of over 40 percent

More recent breaches had less of a negative impact on share price than older ones

Finance companies experienced the largest immediate decline in share price directly after a breach, but internet businesses, such as ecommerce and social media companies, suffered the most in the long term

Larger breaches had less of an impact on share price than smaller breaches

Breaches of highly sensitive data, such as credit card and social security numbers, had a greater impact on the immediate drop in share price following a breach than companies that leaked less sensitive info, such as email addresses. The sensitivity of breached data had a less clear impact on share price in the long term

Methodology

Excluding statistical outliers, we analyzed the share prices of these companies chosen on the following criteria:

They experienced a breach of 1 million or more records

They were publicly listed on a major stock market at the time of the breach, preferably the NYSE (a few stocks from the London and Hong Kong markets are included, but not in our NASDAQ comparison. Tokyo Stock Exchange historical data is not freely accessible, so we excluded companies listed there)

The breach has been publicly disclosed

Initially, we simply looked at whether the share price went up or down. After a data breach disclosure, most stocks saw an immediate drop in share price. We calculated the daily volatility (standard deviation) of the mean stock prices to give the size of the drop some context.

But this method fails to account for market forces beyond the scope of the study. To control for this, we opted to add a second stage to the analysis. In this stage, we compare the performance of each stock with the NASDAQ for the same time period, and calculate the difference in performance between them. Here’s the formula:

(((Company prices on day X after breach)/(Company price on day prior to breach)-1)*100) - (((NASDAQ prices on day X after breach)/(NASDAQ on the day prior to breach)-1)*100)

Essentially, we set the NASDAQ index performance to zero. That means if a company’s stock fell 1% and the NASDAQ rose 2% in the month after a data breach, the calculated decrease is 3%. The NASDAQ is a common standard for overall market performance, and most of these stocks are listed on it. If the NASDAQ fell 2% and the company’s stock price rose 2%, we report an increase of 4%. If the NASDAQ rose 2% but the company only rose 1%, that’s a 1% decrease versus the market. Finally, if the company’s stock price falls 2% but the S&P 500 falls 3%, then the company still sees a relative increase of 1%.

In short, we make the NASDAQ’s performance the baseline instead of zero. We are primarily concerned with the following:

the immediate effect of a data breach on closing share price compared to daily volatility

the percent difference in closing share price performance versus the S&P 500 over the same period of time from the day prior to a breach,

and the recovery time for that percent change to return to zero or greater.

Historical stock data were downloaded on April 26, 2017 from either Google Finance or Yahoo Finance.

We analyzed all of the stocks together and we also split them up by different factors to see if we could spot any patterns. These include the year of the breach, the size of the breach, the sensitivity of the leaked info, and the industry of the company. These findings, while insightful, are less statistically significant due to the smaller sample size.

Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:

One year: 264 business days

9 months: 198 business days

6 months: 132 business days

3 months: 66 business days

1 month: 22 business days

1 week: 5 business days

Finally, we elected not to use the mean or median percent change in stock price versus the NASDAQ to present our findings. While these can be helpful, the nature of the stock market is too volatile to glean any stable trends by simply averaging the data from each day. Instead, we chose to fit and plot a loess regression model to each data set. The loess model is not exactly an average, but it can be used to make predictions about how another company’s share price would behave in response to a data breach.

Let’s start with our overall findings.

What effect does a data breach have on share price?

Stock prices continue to rise overall in spite of data breaches, but much slower than they did previously. To give you an idea in the most broad terms, here’s the average performance from our 24 companies calculated by percent change in share price (45.6% increase):

And here is their performance in the three years following a breach (14.6% increase in share price):

In the three years prior to the breach, daily volatility (standard deviation of the daily mean values of all share prices) was 0.45%

In the short term, prices only fell an average of about half a percent directly following a breach. In the long term, however, the average share price stagnated and struggles to surpass 10 percent growth until after about two years, when it starts to pick back up again again.

Granted, every stock is different. Some excelled despite breaches, while others floundered.

Compared to the NASDAQ, these stocks performed poorly on average. They experienced an immediate 2.83% decrease in performance and recover 30 business days later. They keep up with the NASDAQ until about six months later when prices take a downturn. One year later, the stocks we analyzed underperformed the NASDAQ by an average of 7.33%. Three years later, share price had dropped 41.6% relative to the NASDAQ.

For the rest of this analysis, we’re mainly going to focus on the effects of a data breach during the year after it occurs. We chose one year as our benchmark because the most recent breaches we examined occurred in 2016, so they’re only one year old. This means fewer stocks are excluded and we’re working with the largest sample size possible. Additionally, the more time that passes after a breach, the more other factors not related to the data breach start to influence stock price and introduce noise.

In the following analyses, we grouped the stocks together by different factors. We show the initial fall in share price and performance versus the NASDAQ, plus the average volatility of the stocks for the three years prior to their breach.

NASDAQ benchmark validation

We ran the same one-year overall comparison analysis that we used on the NASDAQ against the S&P 500. We did this to ensure that the NASDAQ comparison results are materially similar to other broad benchmarks. The S&P 500 is a fairly standard benchmark for overall market performance. Recall that we removed the stocks not listed on the NYSE for all of the NASDAQ comparisons: V-Tech, Betfair, and Experian.

Here is the overall NASDAQ comparison for one year:

And here it is for the S&P 500:

The curve is slightly different but overall doesn’t vary much from the NASDAQ.

In the following analyses, we grouped the stocks together by different factors.

Time of breach

This analysis groups companies into three groups according to when they were breached. Our goal is to find out whether breaches have a larger or smaller impact on share prices over time.

The most notable result is older breaches met with a stronger initial reaction than newer breaches. One theory is that breaches were a relatively uncommon occurrence prior to 2012, but as time goes on they become more common. This causes a “breach fatigue”, or bed-of-nails effect, in which investors are less shaken by data breaches as time goes on.

Beyond the initial change in share price, breaches didn’t seem to affect share price differently in the long term based on when they first happened. Share price performance varied too widely to discern any useful conclusion.

The companies breached prior to 2011 took a 3.17% hit to their share price and recovers 13 days later. They initially dropped almost 12% versus the NASDAQ on average. The model recovers and surpasses NASDAQ performance around day 75, after which the breach doesn’t seem to have a consistent effect.

This is a good example of why we use the NASDAQ comparison to account for outside factors. HealthNet ($HNT), which appears to perform strongest at the end of the year when simply looking at its share price over time, is actually the weakest performer when compared to the general market index.

Companies that suffered a breach between 2012 and 2014 suffer a 1% drop in share price, but compared to the NASDAQ, performance is almost dead even at the start. Average share price stagnates, and the stocks collectively underperform the NASDAQ by 11.1% at the year’s end.

In the last couple of years we’ve apparently reached data breach fatigue, as they don’t seem to have nearly as much of an impact as in other years. Stock prices on average didn’t even take an initial hit, instead continuing to rise steadily.

Our NASDAQ comparison shows a similar initial reaction: prices continue to rise after a very small performance drop of less than 1%. The average is held up by the strong performance of Heartland Payment Systems, while JP Morgan, Anthem, and Yahoo underperform. The decline you see at the end is due to the de-listing of two high-performing stocks, LinkedIn ($LNKD) and Heartland Payment Systems ($HPY)

Industry

In these analyses, we explored how share prices were affected by data breaches in specific industries. We categorized each of the stocks into one of five verticals: healthcare, finance, technology, ecommerce and social media, and retail. Note that the samples for these are quite small, so while they may be of interest, they are not as statistically rooted as the more general analyses.

Finance-related companies were hit hard by data breaches, as one might expect. After an initial fall of almost 3% on an average volatility of 0.19%, they continue to drop for over a month to -3.49%, when things gradually start picking up again.

The NASDAQ comparison draws a slightly different picture. Stocks suffer a large initial drop but are able to recover and surpass the NASDAQ’s performance after about a month.

Technology: Sony, Apple, T-Mobile, Vodafone, VTech, Adobe

Initial fall: -2.45% (-3.61% vs NASDAQ)

Volatility: 0.25%

Technology stocks collectively take a significant initial hit, although not as much as those of finance companies. It takes 17 days for share prices to recover back to where they were just before the breach, and 30 days to catch up to the NASDAQ. By the end of the year, however, performance fell 9.12% versus the NASDAQ.

We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death. Apple pulled down the average considerably.

Despite only taking a minor initial hit to share price, these stocks underperformed against the NASDAQ by a wide margin. After about three months of lackluster growth, share prices eventually tumble. On year later, average share price is down 7.66% from the day prior to the breach, a whopping 47.2% beneath the NASDAQ, and still descending.

These plots might look a bit suspicious to you–the share price for LinkedIn ($LNKD) suddenly spikes, then some time later, it disappears entirely. This is because Microsoft agreed to acquire LinkedIn shortly after its data breach in June 2016, causing a huge surge in its stock price. Then the company delisted from the NASDAQ the following December. While this accounts for some of the volatility in the chart, the shape of the curve is more or less the same with or without it, so we decided to leave it in.

It would appear these companies are better insulated against the initial shock of a data breach, but in the long term they suffer more.

Retail: Target, TJ Maxx, Home Depot, Staples

Initial fall: 0.54% (3.0% vs NASDAQ)

Volatility: 0.13%

As the number of companies becomes fewer, now is a good time to remind readers that the sample size is much smaller and the results much less significant. We only analyzed four retail companies.

Big box stores only suffered a small initial fall, and share prices rose for 115 market days. Compared to the NASDAQ, however, they performed quite dismally for the better part of a year until things start picking up again around day 172. Target’s ($TGT) stock price sticks pretty close to the model here, so that’s probably the best option for a case study in how data breaches affect retail business.

Healthcare – Anthem, Health Net, Community Health Systems

Initial fall: none

Volatility: 0.16%

We only analyzed three healthcare companies, so our results should be taken with a big grain of salt. Still, we though it worth including. The breaches did not seem to have much affect on these companies.

Performance versus the NASDAQ is heavily swayed by the ups and downs of Health Net ($HNT).

Size of breach

This analysis groups each of the stocks by size of breach: 1-10 million records, 11 to 99 million records, and 100 million or more records breached. Our hypothesis was simple: the bigger the breach, the bigger the drop in share price. But the results actually surprised us.

After a small, brief initial drop in share price, the companies with the largest data breaches of 100 million or more records didn’t seem to suffer much despite their enormity. Bear in mind, however, that there are only four companies in this sample. Performance was held aloft largely thanks to Heartland Payment Systems ($HPY).

While not the largest breaches in our analysis, these companies still leaked a huge number of records. In spite of that fact, share prices didn’t fall and their stocks continued to rise steadily.

Compared to the NASDAQ, performance fell by 3.54% the day following the breach. At the lowest point, share prices underperformed the NASDAQ by 8.39% around market day 162, but they soon recovered and outperformed the index by 8.53% at the end of the year.

A notable stock to observe here is Apple ($AAPL), which fell in sharp contrast to most of the others. While Apple did suffer a data breach, the fault for that breach was not directly Apple’s, but a law enforcement leak of Apple’s customer data. We surmise Apple’s poor performance during this period was more to do with the succession of its former CEO Steve Jobs, who died less than a year earlier, and the launch of the first iPhone since his death.

Ironically, it was the smallest breaches in our analysis that impacted share price the most. After the initial 2% hit, they recovered 21 days later. After peaking at 1.96%, they fell again to 5.91% below their pre-breach share price 165 market days after the breach.

The NASDAQ comparison looks a bit different but still leaves this group the worst off compared to the larger breaches. Share prices eventually recover in relation to the NASDAQ after a long 116 market days. By year’s end, however, share prices once again underperform the NASDAQ by over 22%.

Sensitivity of stolen info

This analysis groups stocks by the sensitivity of the data that was breached. Those that leaked the most sensitive information–credit cards and social securitn numbers–took a significant hit, while the damage to those that leaked passwords was miniscule.

The first group is highly sensitive information, primarily credit and debit card numbers or social security numbers. When this information is leaked, there are direct consequences–identity theft and credit card fraud–that cannot be resolved with a quick fix from the company.

After an initial 1.76% average initial drop in share price, the stocks recovered 23 days later. Our comparison to the NASDAQ showed a similar result, recovering after 39 business days and going on to outperform the NASDAQ by a significant margin.

The second group includes unencrypted passwords, secret questions and answers, medical records, and other login information. This info could be used by hackers to access user accounts. While a company can simply require password resets in such a case, many people use the same password and login info on other sites. That means the information could indirectly cause someone’s other accounts to be hacked.

Stock prices for these companies didn’t drop in the wake of their breaches. The ‘S’ shape of the graph is influenced heavily by LinkedIn, which was sold to Microsoft and de-listed from the NASDAQ in the year after its breach. Without it, the chart would be a more gradual and steady increase, but an increase nonetheless.

The NASDAQ comparison shows an overall decrease, not an increase, but we’re only evaluating four stocks in the NASDAQ comparison, and those were heavily influenced by LinkedIn ($LNKD) and HealthNet ($HNT).

Finally, the last group includes breaches of information that can’t be directly used by a hacker to access someone’s account, but could be used to target account holders with advertisements, scams, and phishing emails. This information includes email addresses, usernames, addresses, and phone numbers among other information.

While these companies didn’t experience a huge drop directly after a breach, their share prices did suffer in the long term. Average share price fell below what it was the day before the breach 107 market days later and continued to decline to -7.27% by the end of the year. Our NASDAQ comparison shows a 1.55% initial performance hit that continues to decline to 13.56% by the end of the year.

The data breaches we analyzed

Below we’ve listed each of the companies and some details about their respective data breaches. Note that some companies suffered from multiple data breaches. In that case, we began our analysis from the business day prior to the earliest data breach. Most companies are listed on the NYSE, but some are listed on the London and Hong Kong stock exchanges. In that case, we did not include it in our NASDAQ comparison, only the normal share price analysis. If a company is listed on multiple stock exchanges, we opted for the NYSE data as it would be more closely aligned with the NASDAQ.

We chose to use the date of the day prior to disclosure according to the earliest possible media report, press release, or other available source online. Note, however, that the data breaches often took place much earlier. Once a hacker gains access, they can remain undetected for several weeks, months, and even years. Even after they are discovered and blocked, companies often wait weeks or months before publicly disclosing the breach.

LinkedIn ($LNKD)

Monster ($MWW)

August 21, 2007 – 1.3 million names, addresses, phone numbers and e-mail addresses of job seekers were breached five days prior to disclosure

January 23, 2009 – An unknown number of user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users’ states of residence were breached

Royal Bank of Scotland ($RBS)

December 29, 2008 – 1.5 million RBS Worldpay payroll and gift card holders’ card data was breached, 1.1 million of which also included social security records were breached on November 10, over a month earlier

Sony ($SNE)

November 24, 2014 – 10 million employee records including some social security numbers breached allegedly over a year-long period

Yahoo ($YHOO)

May 20, 2013 – 22 million user Yahoo Japan IDs breached on May 16 (note: Yahoo Japan is listed separately on the Tokyo Stock exchange and is not part of this analysis)

Factors not accounted for and blindspots

As with any financial market study, there is a huge slew of factors that could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the S&P 500, there are bound to be some unexplained inconsistencies.

Two noteworthy factors that we did not cover in this analysis stood out most. The first: payouts. If a data breach leaks particularly damaging information that ultimately incurs financial damages to a company’s customers, and the company was shown not to have adequately protected the information leaked in that breach, then customers often sue in class-action lawsuits. These usually result in settlements, in which the company forks out millions of dollars to reimburse customers for damages. This does not always happen and the amount paid out varies, so we simply don’t have enough data to fit a practical model that shows how these settlements affect stock prices.

The second is financial reports. This would perhaps warrant an entirely separate study. We analyzed the share price starting with the day prior to when a data breach was publicly disclosed. While a company might divulge what information was leaked and how many records were affected in that initial disclosure, other consequences might not be revealed until the company releases its requisite quarterly shareholder report. This could include loss of sales or users, diverting funds to invest in data security, or other important information related to the breach that could cause investors to jump ship.